I have an OpenVPN server that only a few clients are using and due to heartbleed issue, I've simply recreated the server certificates.

I've also deleted all the previous certificate files from the server. My assumption is since I've regenerated the server certificates and keys, previously generated client certificates can't connect to server anymore, since their certificates are not signed with the new server certificates I've created.

I'm perfectly happy with this, I just want to make sure that someone can't connect using an old certificate. Am I right?

More details:
I've followed the OpenVPN guide here and (hopefully) rebuilt the certificate authority as well by doing:

cd /etc/openvpn/easy-rsa/
source vars
./clean-all
./build-ca

Just before the steps above the guide says:

Enter the following to generate the master Certificate Authority (CA) certificate and key:

So my guess is I've replaced everything. My problem is I do not have the old certificates and in order to revoke them I need them!

Even more details:
I've gotten hold of a previously working client certificate and configuraiton and if I try to connect using that I get:

Yes, creating a new CA cert will allow only the certificates signed by that cert to connect. Certificates signed by the old CA will be rejected.
–
SammitchApr 16 '14 at 19:34

Thanks! Care to write this as an answer so that I can accept it?
–
sarikanApr 16 '14 at 19:43

1

assuming you actually made a new ca cert, and not just a new server cert and client certs. In that case, you'll need to revoke the old certs and use a crl file in the server's openvpn config.
–
SirexApr 16 '14 at 20:25

1

Sirex has a good point here: you don't say whether or not you've changed the CA root. You don't actually need to (see this question for details) but if you haven't, and you haven't both revoked the old certificates and configured the OpenVPN server to use that CRL, then the old clients will indeed still be able to connect: their certificates are signed by a CA the server continues to regard as valid.
–
MadHatterApr 16 '14 at 21:12

@MadHatter I've updated the question. Do I still sound right?
–
sarikanApr 16 '14 at 22:45